Login Sign Up

CVE-2023-31043

7.5 HIGH

📋 TL;DR

EnterpriseDB EDB Postgres Advanced Server (EPAS) versions before the fixed releases log unredacted passwords in CREATE/ALTER USER/GROUP/ROLE commands when optional parameters are used, even when password redaction is configured. This exposes sensitive credentials in log files. Organizations using affected EPAS versions with password redaction enabled are vulnerable.

💻 Affected Systems

Products:
  • EnterpriseDB EDB Postgres Advanced Server (EPAS)
Versions: All versions before 10.23.33, 11.18.29, 12.13.17, 13.9.13, and 14.6.0
Operating Systems: All supported operating systems
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when edb_filter_log.redact_password_commands is configured (password redaction is enabled) and optional parameters are used with CREATE/ALTER USER/GROUP/ROLE commands.

📦 What is this software?

Postgres Advanced Server by Enterprisedb

View all CVEs affecting Postgres Advanced Server →

Postgres Advanced Server by Enterprisedb

View all CVEs affecting Postgres Advanced Server →

Postgres Advanced Server by Enterprisedb

View all CVEs affecting Postgres Advanced Server →

Postgres Advanced Server by Enterprisedb

View all CVEs affecting Postgres Advanced Server →

Postgres Advanced Server by Enterprisedb

View all CVEs affecting Postgres Advanced Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers with access to log files can extract database user passwords, leading to full database compromise, privilege escalation, and potential lateral movement to other systems.

🟠

Likely Case

Database administrators or users with log access inadvertently expose credentials, which could be exploited by malicious insiders or attackers who gain log access through other means.

🟢

If Mitigated

With proper access controls limiting log file access and monitoring, the impact is reduced to potential internal credential exposure with limited exploitation opportunities.

🌐 Internet-Facing: MEDIUM - While the vulnerability itself doesn't expose logs externally, internet-facing databases often have more complex logging pipelines that could increase exposure risk.
🏢 Internal Only: HIGH - Internal databases frequently have less restrictive log access controls, making credential extraction easier for attackers who breach the network perimeter.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to database log files, which typically requires some level of system or database access. The vulnerability itself is simple to trigger once log access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.23.33, 11.18.29, 12.13.17, 13.9.13, or 14.6.0 depending on major version

Vendor Advisory: https://www.enterprisedb.com/docs/epas/14/epas_rel_notes/epas14_6_0_rel_notes/

Restart Required: Yes

Instructions:

1. Identify current EPAS version. 2. Download appropriate fixed version from EnterpriseDB portal. 3. Backup database. 4. Stop EPAS service. 5. Install updated version. 6. Restart EPAS service. 7. Verify version and functionality.

🔧 Temporary Workarounds

Disable password redaction

all

Temporarily disable the edb_filter_log.redact_password_commands feature to prevent the logging bug from exposing passwords.

ALTER SYSTEM SET edb_filter_log.redact_password_commands = off;
SELECT pg_reload_conf();

Restrict log file access

linux

Implement strict file permissions on EPAS log directories to limit access to authorized personnel only.

chmod 640 /path/to/epas/logs/*
chown postgres:postgres /path/to/epas/logs/*

🧯 If You Can't Patch

  • Implement strict access controls on database log files and directories
  • Monitor and audit access to EPAS log files for suspicious activity
  • Avoid using optional parameters with CREATE/ALTER USER/GROUP/ROLE commands
  • Regularly rotate database passwords to limit exposure window

🔍 How to Verify

Check if Vulnerable:

Check EPAS version and verify if edb_filter_log.redact_password_commands is enabled: SELECT current_setting('edb_filter_log.redact_password_commands');

Check Version:

SELECT version();

Verify Fix Applied:

Verify version is at or above fixed release: SELECT version(); and confirm it matches patched versions.

📡 Detection & Monitoring

Log Indicators:

  • Plaintext passwords in EPAS log files following CREATE/ALTER USER commands with optional parameters
  • Unexpected access patterns to database log files

Network Indicators:

  • Unusual database authentication attempts from new locations or users

SIEM Query:

source="epas_logs" AND ("CREATE USER" OR "ALTER USER") AND "PASSWORD" NOT "[REDACTED]"

📊 Metadata

CVE ID: CVE-2023-31043
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-312
Published: April 23, 2023
Last Updated: February 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-31043, you might also want to check these:

CVE-2022-43757 9.9

CVE-2022-43757 is a cleartext storage vulnerability in SUSE Rancher that allows users on managed clu...

Same vulnerability type (CWE-312)
CVE-2021-29954 9.8

This vulnerability in Hubs Cloud's Reticulum software allowed attackers to use the proxy functionali...

Same vulnerability type (CWE-312)
CVE-2022-26148 9.8

This vulnerability exposes Zabbix account passwords in Grafana's HTML source code when integrated wi...

Same vulnerability type (CWE-312)